Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

PA-DSS Security Implementation Guide - Image

advertisement 
PA-DSS Security
Implementation Guide
i
PA-DSS Security Implementation Guide
This document applies only to Version 4.2 of Image Technology Systems’ VisualMatrix™
property management system. For a copy of the latest PA-DSS Security Implementation
Guide, contact Image Technology Systems customer support by phone, email or written
request at:
© Image Technology Systems
Phone 214.291.4000 • Fax 214.291.4007
Revision History
Name
Title
Date/Version of Update
Summary of Changes
Chet Fields
VP of Product Development
09/30/2013 – 4.2.0
PCI 1.2 to 2.0 / ReCert
Chet Fields
VP of Product Development
06/26/2012 – 3.5.3
Annual Review
Chet Fields
VP of Product Development
10/28/2011 – 3.1.2
Annual Review
Chet Fields
VP of Product Development
09/28/2010 – 2.8.1
Annual Review / ReCert
Chet Fields
VP of Product Development
12/15/2009 – 2.3.4
Annual Review
Chet Fields
VP of Product Development
11/18/2008 – 1.8.3
Annual Review
Chet Fields
VP of Product Development
12/07/2007 – 1.7.1
Initial Release
PA-QSA Assessor:
ii
Table of Contents
Revision History .........................................................................ii General Information................................................................... 5 About This Document....................................................... 5 Conventions used in this Guide ....................................... 5 PCI Overview ................................................................... 6 12 requirements of the PCI-DSS:..................................... 7 PCI-DSS Compliance and PA-DSS Validation Differences
......................................................................................... 9 VisualMatrix™ and the PCI-DSS............................................. 10 Build and Maintain a Secure Network ............................ 10 Network Requirements ........................................................................... 11 Data Protection ....................................................................................... 13 Security Administrators – Key Management .......................................... 13 Data Storage ........................................................................................... 16 Electronic Data........................................................................................ 16 Physical Data .......................................................................................... 17 Maintain a Vulnerability Management Program ............. 19 Vulnerability Testing ............................................................................... 19 Anti-Virus Software ................................................................................. 19 Implement Strong Access Control Measures ................. 20 System Access and Connectivity............................................................ 20 Account Access ...................................................................................... 21 Remote Account Access ......................................................................... 22 Administrator Account Access ................................................................ 23 Windows Server Access ......................................................................... 24 Regularly Monitor and Test Networks ............................ 28 VisualMatrix™ Security Auditing and Logging ........................................ 28 Security Auditing ..................................................................................... 28 Sensitive Data Audit ............................................................................... 30 Maintain an Information Security Policy ......................... 31 Create a Security Policy ......................................................................... 31 iii
Payment Application Data Security Standard ......................... 33 PA-DSS considerations for proper Implementation of
VisualMatrix™ in PCI-DSS compliant environments: ..... 33 Remove Historical Credit Card Data....................................................... 33 (PA-DSS 1.1.4.a) .................................................................................... 33 Sensitive Authentication Data Requires Special Handling ..................... 34 (PA-DSS 1.1.5.c) .................................................................................... 34 Purging of Cardholder Data .................................................................... 34 (PA-DSS 2.1.a) ....................................................................................... 34 Key Management Roles and Responsibilities ........................................ 35 (PA-DSS 2.5 and PA-DSS 2.6)............................................................... 35 Removal of Cryptographic Material ........................................................ 36 (PA-DSS 2.7.a) ....................................................................................... 36 Payment application enforces secure authentication credentials........... 37 Audit Trails and Centralized Logging ...................................................... 38 (PA-DSS 4.1, PA-DSS 4.3 and PA-DSS 4.4) ......................................... 38 (PA-DSS 5.4) .......................................................................................... 39 PCI-Compliant Wireless Settings............................................................ 39 (PA-DSS 6.1.b and PA-DSS 6.2.b)......................................................... 39 Never Store Cardholder Data on Internet-Accessible Systems ............. 41 (PA-DSS 9.1) .......................................................................................... 41 PCI-Compliant Remote Access Using Two-Factor Authentication......... 41 (PA-DSS 10.2) ........................................................................................ 41 Data Transport Encryption ...................................................................... 44 (PA-DSS 11.1) ........................................................................................ 44 PCI-Compliant Use of End User Messaging Technologies .................... 44 (PA-DSS 11.2) ........................................................................................ 44 Non-console Administration .................................................................... 45 (PA-DSS 12.1) ........................................................................................ 45 VPN or High Speed “Always On” Connections ....................................... 45 (PA-DSS 12.3.9) ..................................................................................... 45 Installing the VisualMatrix™ Software............................ 46 VisualMatrix™ Server Installation ........................................................... 46 VisualMatrix™ Client Installation ............................................................ 48 iv
General Information
About This Document
This document is intended as a quick reference guide to provide users with
information concerning Image Technology Systems adherence to the PCI Data
Security Standard concerning PCI-DSS compliance and VisualMatrix™ adherence
to the Payment Card Industry Data Security (PA-DSS) maintained by the PCI
Security Standards Council. This document relates specifically to Image
Technology Systems’ VisualMatrix™ software.
Conventions used in this Guide
Symbol
Title
Meaning
PCI-DSS
PA-DSS
Guidance
Provides additional guidance as to
what actions should be taken
according to PCI-DSS or PA-DSS
requirements.
Potential
Non-compliance
Pitfalls
Highlights potential problems areas,
required PCI DSS practices and/or
provides cautionary information
against potential compliance
misunderstandings and violations.
Provides additional information or
resource locations regarding an
aspect of the application, a procedure,
PCI-DSS or PA-DSS requirements.
NOTES
5
PCI Overview
The Payment Card Industry Security Standards Council was formed as a result of
collaboration between Visa, MasterCard, AMEX, Discover, and JCB to create and
standardize common payment security requirements across the entire credit card
industry. The result was a new merchant security standard called Payment Card
Industry Data Security Standard (PCI-DSS or simply referred to as “PCI”). This
multi-faceted, constantly evolving security standard includes requirements for
security management, policies, procedures, network architecture, software design
and other critical protective measures. It is intended to help organizations
proactively protect their customer account data in today’s rapidly changing internet
and computing environment.
Credit card companies are requiring compliance with PCI standards for every entity
that is involved in the storage, processing, or transmission of credit card
information.
Failure to comply can result in denial or revocation of your organization’s
ability to process credit cards. Non-compliance also places your
organization at risk of legal and/or civil consequences if credit card
information becomes compromised.
This document is being provided as a guide to assist you with becoming and
remaining PCI compliant in conjunction with your organization’s PCI-DSS
certification.
6
12 requirements of the PCI-DSS:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public
networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
For further information on complete merchant responsibilities under PCI-DSS
Requirements, please refer to resources available from the PCI Security Standards
Council at: https://www.pcisecuritystandards.org/index.shtml
7
PA DSS v2.0 (IMAGE TECHNOLOGY SYSTEMS’ COMPLIANCE)
VisualMatrix™, when used as designed has been certified as compliant under the
Payment Application Data Security Standard v2.0 (PA-DSS). PA-DSS v2.0 is a
security standard that applies to software vendors that develop credit card
applications for merchants. Software compliance does not automatically make you,
as a merchant, PCI compliant, but it is an important and necessary step toward
minimizing the potential for security breaches leading to compromises of sensitive
cardholder data.
8
PCI-DSS Compliance and PA-DSS Validation Differences
As a software vendor, Image Technology Systems’ (ITS) responsibility is to be “PADSS Certified”. ITS performs internal assessment and certification compliance
reviews with Datassurant our independent PA-QSA assessment firm, to ensure that
VisualMatrix™ conforms to industry best practices when handling, managing and
storing payment related information.
PA-DSS is the standard against which VisualMatrix™ is being tested, assessed,
and certified.
PCI-DSS Compliance is then later obtained by the merchant, and is an assessment
of their actual server (or hosting) environment.
While Image Technology Systems recognizes the importance of
upholding card holder data security and integrity, most if not all any
parameters of the PCI Data Security Standard and the process of
achieving and maintaining ‘PCI-DSS Compliance’ is the responsibility of
the merchant or services provider, using PCI-DSS compliant server
architecture along with proper hardware/software configurations, access control
procedures and a clearly defined Enterprise security policy covering at a minimum
all PCI-DSS applicable areas. This guide contains sections containing descriptions
for each of the 12 PCI Data Security Standard requirements; including information
explaining how VisualMatrix™ software conforms to the PCI Data Security
Standard.
The PA-DSS Certification is intended to ensure that VisualMatrix™ will help our
clients more easily meet, achieve and maintain PCI-DSS compliant environments.
9
VisualMatrix™ and the PCI-DSS
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other
security parameters
Installation
New VisualMatrix™ installations will meet all PA DSS v2.0 compliance
requirements.
Upgrade
VisualMatrix™ revisions prior to 4.2 did not store magnetic stripe data, card
validation codes, PINs or Pin blocks and therefore secure removal is not required.
However, it will encrypt sensitive credit card information that will remain in the
database making your upgraded VisualMatrix™ account PA DSS v2.0 compliant.
Previous VisualMatrix™ Versions
VisualMatrix™ revisions prior to 4.2 will no longer be PCI compliant. Please contact
Image Technology Systems to discuss securing sensitive data on these revisions.
PCI DSS v2.0 (Merchant Compliance)
The basic requirements that a merchant must meet in order to become certified as
PCI-compliant are listed below. Use this information to develop a formalized PCI
Security Policy document for your organization. Please keep in mind that your PCI
Security Policy will be unique to your company and methods of doing business.
10
Network Requirements
Wired Network
WebLink Server Connection Requirements (if purchased separately)
•
An Image Technology Systems approved and configured WebLink Server
is required for PA-DSS compliancy in conjunction with VisualMatrix™
•
It is required that a secure connection between the VisualMatrix™
application server and the WebLink server be established and maintained
at all times
•
The WebLink Server must be contained on a separate DMZ network with a
firewall between the DMZ network and the VisualMatrix™ network. Only
ports required for the system to properly function should be open between
the WebLink server and the VisualMatrix™ application server.
•
In the event sensitive data is not encrypted between the VisualMatrix™
application server and the WebLink server, it will render the VisualMatrix™
software non-compliant.
Wireless Network
Firewall
• Install perimeter firewalls between any wireless networks and the
VisualMatrix™ Server. Configure these firewalls to deny traffic from the
wireless environment into the VisualMatrix™ Server.
•
Your wireless firewall configuration must be documented and reviewed
regularly to insure that it continues to meet PCI standards.
Connection
•
Wireless routers should automatically disable during off-hours.
•
Wireless connections should be configured to use the highest level of
encryption possible. Do not use common WEP encryption which is the
default of many wireless routers. VisualMatrix™ uses Hypertext Transfer
Protocol Secure (HTTPS) for all connections to Credit Card service
providers.
•
WEP is prohibited on new implementations after March 31, 2009
11
•
WEP is prohibited on existing implementations after June 30, 2010.
Authentication
•
For wireless environments connected to VisualMatrix™ or transmitting
cardholder data, change wireless vendor defaults, including but not limited
to default wireless encryption keys, passwords, and SNMP community
strings.
•
Ensure wireless networks transmitting cardholder data or connected to
VisualMatrix™ use industry best practices (for example, IEEE 802.11i) to
implement strong encryption for authentication and transmission.
•
Do not use vendor supplied default passwords and security parameters on
wireless network devices.
•
All Wireless Network device passwords and encryption keys must be
changed immediately when a user with knowledge of the passwords and/or
keys leaves the company or changes positions within the company.
Firewall
In accordance with PCI-DSS v2.0 and industry best practices; Image
Technology Systems strongly recommends that:
•
All systems containing sensitive information (servers, databases, wireless
access points, etc.) reside behind a firewall in order to protect that data
as well as meet PCI-DSS requirements.
•
No services not related to the VisualMatrix™ installation should be
utilized on the VisualMatrix™ Server.
•
Your entire network must be protected with a firewall configured to deny
all traffic except that which you expressly need and permit in order for
your business to function.
o Required ports are 7000/TCP, 445/TCP, and Windows File and
Printer Sharing ports. Depending on SQL configuration, a
separate port for SQL may be required.
12
•
•
Your firewall configuration must be documented and reviewed regularly
to insure that it continues to meet PCI standards.
Personal Computers, PDAs, Pocket PCs, laptops and any other devices
that use remote-access technologies to access the VisualMatrix™ Server
require the installation of a personal firewall directly on the device.
Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Data Protection
Operating System Security ‘Hardening’
•
The operating system needs to be ‘Hardened’ in order to remediate
security vulnerabilities
•
For detailed information regarding operating system Hardening, please
refer to Microsoft documentation for Windows. Information is also
available at www.microsoft.com
•
Ports should only be enabled that are needed for your specific
communication needs
•
Windows operating systems should only have services installed that are
specifically utilized
•
Failing to harden all operating systems utilized for VisualMatrix™ will
render the software non-compliant
Security Administrators – Key Management
Assignment
•
Key employees in your organization should be given the ability to
configure and maintain your encryption settings, change passwords and
13
secure encryption keys. These employees will be known as Security
Administrators.
•
Restrict key access to the fewest number of Security Administrators
necessary. A minimum of 2 Security Administrators should be assigned,
both a primary and secondary.
•
It is essential that at least 1 Security Administrator be available at all
times. Vacation and holidays should be scheduled based on the
availability of one Administrator.
Compliance
•
The Security Administrators must be familiar with every aspect of your
PCI Security Policy and your policies must insure their compliance.
•
Require that each Security Administrator sign a form detailing the
responsibilities you have assigned them while creating your PCI Security
Policy.
•
Deletion of a master key, whether needed because of a compromised
key or a database upgrade, must be done securely. In order to
accomplish this, you must execute the “SDELETE” command for
Windows servers. Extreme caution should be exercised when using
either command as they PERMANENTLY remove data from your hard
drive.
Security Administrator – Key Custodian Form requirements
As part of PCI-DSS compliant key management practices, merchants are
required to have an internal key custodian and that the key custodian sign a
form (which can be created in-house) simply agreeing or attesting that they
understand and accept their data security and encryption key custodian
responsibilities.
The following list provides sample items from which system owners /
administrators can develop a key custodial agreement form for authorized
members of their merchant organization. The custodial agreement should
indicate:
•
That Security Administrators authorized to administer VisualMatrix™
encryption keys (a.k.a. ‘key custodians’) are required to sign the
14
•
•
•
agreement document as a condition of employment with the merchant
organization and to indicate acceptance of custodial responsibilities.
That the key custodian is in employment with the merchant
organization on the date signed
That the key custodian has been provided access to VisualMatrix™
system security components (software, key-files, equipment,
documentation, passwords) and agrees that, he or she:
o Understand that cryptographic encryption keys and information
relating to the merchant organization’s PCI security
infrastructure and cryptographic controls are most sensitive to
the company.
o Has read and understood the merchant organization’s
information security policies and agrees to comply with those
policies to the best of their ability (see PCI DSS Req.12)
o Understands that non-compliance with the merchant
organization’s information security policies can lead to
disciplinary and/or legal action.
o Understands that exceptions to compliance will only occur
where compliance would violate local, state, or federal law, or
where a senior officer of the merchant organization or law
enforcement officer has given prior authorization.
o Agrees never to divulge any key management or related
security system passwords, processes, security hardware or
secrets associated with the merchant organization’s systems to
any third party, including other key custodians, unless
authorized by a senior officer of the merchant organization or
required to do so by law enforcement officers.
Agrees to report promptly and in full to the correct merchant
organization personnel, any suspicious activity, including but not
limited to key compromise or suspected key compromise, and other
activity which can include:
o Indications of unauthorized system use or access.
o Phone, email, text, or other message requests from
unidentified sources requesting access to secure systems or
information.
o Unidentifiable files or applications found on systems in the
cardholder data environment.
o Unusual activity recorded in log files.
15
o That the key custodian has been given the ability to raise
questions about the agreement and has had those questions
answered satisfactory.
o That the custodian agrees to all points and understands an
original copy of the agreement will be held on their personnel
record and kept by the merchant organization for an indefinite
period.
o That the agreement is dated, with the custodian’s name printed
& signed, and was witnessed by a senior officer of the
merchant organization.
Data Storage
Card holder data handling
• Cardholder data must be stored on a computer that is segregated from
the rest of your network and from public access. Thus, your
VisualMatrix™ database cannot be located on the same server that hosts
email, websites or any other network related functions.
•
The VisualMatrix™ data server should never have direct internet
connectivity or be assigned a public IP Address.
Electronic Data
Storage
• Cardholder data that is stored or transmitted via the internet, e-mail, fax
or wireless networks must be encrypted and protected from unauthorized
access.
•
VisualMatrix™ does not allow the transmission of cardholder data via email, instant messaging or other medium.
•
All VisualMatrix™ encrypted data is stored in the SQL Server
VisualMatrix_Data.mdf file.
•
PIN numbers, Card Validation Codes and the full contents of magnetic
stripe tracks should NEVER be stored.
16
•
During the installation/certification process VisualMatrix™ will allow for
the rotation of the encryption keys for your server. These keys will be
stored on removable devices (such as USB thumb drives) one of which
will need to be installed on the server computer whenever the system is
required to decrypt credit card numbers. The remainders are to be stored
in a secure location (both on and off premises). A limited number of
Customer employees will have access to the file contents.
Retention
•
Data should not be stored longer than is strictly necessary. Cardholder
data that exceeds the customer-defined retention setting will be purged
during the Night Audit process.
Access
•
You should grant permission to select users so they can view stored
cardholder data. The number of users with access should be strictly
limited.
•
There is never a need for the Image Technology Systems support
technician to extract or remove any sensitive data such as Track Data,
CVV, Pin or Pin Block data from a client’s server for troubleshooting or
testing. Therefore, this data is never returned to Image Technology
Systems.
Logs
•
Access logs for cardholder data should be reviewed and maintained for
an indefinite time period.
Physical Data
Storage
•
Handwritten cardholder data, encryption keys or encryption passwords
must be stored in a secure, supervised area.
•
Give consideration to alarm systems and security cameras.
•
PIN numbers, Card Validation Codes, full unencrypted card numbers and
the full contents of magnetic stripe tracks should NEVER be stored.
Retention
17
•
Inspect your paper files and remove any sensitive data that should not be
stored during your compliance procedure. (PIN numbers, etc.).
•
Physical copies of sensitive data should adhere to the same retention
policies as electronic data. When no longer necessary for stated
business purposes documents containing cardholder information should
be shredded or otherwise destroyed.
Access
•
You should grant permission to select users so they can view physical
cardholder data. The number of users with access should be strictly
limited.
•
Limit physical access to secure areas where data is stored.
•
There is never a need for the Image Technology Systems support
technician to extract or remove any sensitive data such as Track Data,
CVV Pin or Pin Block data from a client’s server for troubleshooting or
testing. Therefore, this data is never returned to Image Technology
Systems.
Backup Media
Storage
•
Backup media should be stored in a secure, supervised area both on and
offsite.
Retention
•
Backup media should adhere to the same retention policies as electronic
data. When no longer necessary the media should be overwritten or
destroyed.
Access
•
You should grant permission to select users so they can view physical
cardholder data. The number of users with access should be strictly
limited.
•
Limit physical access to secure areas where backup media is stored both
on and offsite.
18
Maintain a Vulnerability Management Program
Develop and maintain secure systems and applications
Use and regularly update anti-virus software
Vulnerability Testing
•
Good security practices must include testing to identify potential
vulnerabilities and develop appropriate safeguards. PCI standards
require that you perform an external vulnerability scan by a qualified
vendor at least quarterly. Results of the scan must be submitted to the
PCI Security Standards Council. Approved Scanning Vendors (ASVs)
are listed on the PCI Security Standards Council website.
Anti-Virus Software
•
Anti-Virus software should be deployed to protect your network and each
computer that connects to it against spyware, malware, worms, Trojans
and any other malicious software that may attack your network
environment.
•
Your anti-virus software and Windows Operating System software should
be updated frequently to insure that your protection is always current.
•
Logs generated by your anti-virus software and Windows should be
reviewed on a regular basis.
For further information on using antivirus use, and for complete merchant
responsibilities under PCI DSS Requirement 5, please refer to resources available
from the PCI Security Standards Council at:
https://www.pcisecuritystandards.org/index.shtml
19
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
System Access and Connectivity
•
You must use secure encryption transmission technology such as IPsec,
SSH, VPN or SSL V3 / TLS V1 for transmitting sensitive data over public
networks.
•
An IPsec, SSH, VPN or SSL V3 / TLS V1 connection is required for any
non-console administrative access such as RDP.
•
VisualMatrix™ Administrative access is handled using secure VNC
tunnels with one-time encryption (RSA/AES) and single-use access
tokens. One-time encrypted VNC packages are deployed upon token
validation, and destroyed when no longer in use. All VisualMatrix™
Administrative access is logged both in the VisualMatrix™ application
and in the remote administrative tools.
•
Multi-site implementations require the use of a closed VPN or SSH tunnel
that restricts connections between untrusted networks and any system
components in the cardholder data environment. Failure to do so is in
violation of PCI-DSS v2.0.
•
VisualMatrix™ VPN access must be disabled when not in use. If you
request assistance a VisualMatrix™ Customer Service technician will
contact you to have access enabled.
Authentication
•
Do not use vendor supplied default passwords and security parameters
on network devices. Device passwords require 7 or more characters with
a combination of letters, numbers and symbols and should be changed
every 90 days.
•
All Firewall device passwords and encryption keys must be changed
immediately when a user with knowledge of the passwords and/or keys
leaves the company or changes positions within the company.
20
•
VisualMatrix™ does not use, nor interfere, with two-factor authentication
systems that require a username & password combination and an
additional authentication item such as a smart card or pin number.
•
Client use of remote access technologies (Terminal Server, Citrix, etc.) to
access VisualMatrix™ requires the use of two-factor authentication.
Account Access
Internal Account Access
Login
•
Access to all PCs, servers and databases with payment applications
require a unique user ID and secure authentication.
•
Assign all users a unique ID before allowing them to access system
components or cardholder data.
Authentication
•
In addition to assigning a unique ID, employ at least one of the following
methods to authenticate all users: Password, Passphrase or Two-factor
authentication.
21
Remote Account Access
Login
•
Assign all users a unique ID before allowing them to access systems
components or cardholder data.
•
Limit repeated passwords attempts by locking the user ID after not more
than six attempts.
•
Set the lockout duration to a minimum of 30 minutes or until an
administrator enables the user ID.
•
If a session has been idle for more than 15 minutes, require the user to
re-enter the password to reactivate the terminal.
•
Users must login at least twice. Once for Work Station OS authentication
and once for running VisualMatrix™.
•
Limit user login times to the specific hours when they should have access
to the system.
•
Limit user system access to include only resources that are required for
their job duties.
•
When a user no longer needs system access their account should be
disabled and maintained on the system. When/if the user returns the
account can be enabled and used again, maintaining a complete history
of the users’ activity.
•
Changing VisualMatrix™ installation settings for unique user IDs and
secure authentication will result in non-compliance with PCI-DSS v1.04
Authentication
•
In addition to assigning a unique ID the user requires an authentication
password.
•
Incorporate two-factor authentication for remote access (network-level
access originating from outside the network).
•
Render all passwords unreadable during transmission and storage on all
system components using strong cryptography.
22
•
Ensure proper user authentication and password management for nonconsumer users and administrators on all system components.
•
Do not use group, shared, or generic accounts and passwords.
•
Change user password at least every 90 days.
•
Require a minimum password length of at least 7 characters.
•
Use passwords containing both numeric and alpha characters.
•
Do not allow a user to submit a new password that is the same as any of
the last four passwords he or she has used.
•
If a user forgets a password, the Administrator should require that the
password be changed on the users’ next login attempt. Administrators
should not have access to other users’ passwords. Passwords should
never be transmitted via e-mail or the internet.
•
It is the client’s responsibility to track and manage passwords for
VisualMatrix™ login. When contacted by a VisualMatrix™ Customer
Service Technician the client must enable remote access and provide the
technician with a password that meets all Authentication requirements.
Administrator Account Access
Login
•
Limit repeated passwords attempts by locking the user ID after not more
than six attempts.
•
Set the lockout duration to a minimum of 30 minutes or until Administrator
enables the user ID.
•
If a session has been idle for more than 15 minutes, require the user to
re-enter the password to reactivate the terminal.
•
When an Administrator no longer needs system access their account
should be disabled and maintained on the system. When/if the
Administrator returns the account can be enabled and used again,
maintaining a complete history of the users’ activity.
23
Authentication
•
Do not use group, shared, or generic accounts and passwords.
•
Change Administrator passwords at least every 90 days.
•
Require a minimum password length of at least 7 characters.
•
Use passwords containing both alpha and numeric characters.
•
Do not allow an Administrator to submit a new password that is the same
as any of the last four passwords her or she used.
•
If an Administrator forgets a password, they should be required to change
their password on the next login attempt. Administrators should not have
access to other users’ passwords.
•
ECL access should always have a complex password. This password
must be changed every 90 days.
•
Passwords should never be transmitted via e-mail or the internet.
•
It is the client’s responsibility to track and manage passwords for
VisualMatrix™ Administrative login. When contacted by a VisualMatrix™
Customer Service Technician the client must enable remote access and
provide the technician with an Administrative password that meets all
Authentication requirements.
Windows Server Access
Remote Desktop Access
Connection
•
Create unique connection usernames and passwords for each user who
will access the Server via Remote Desktop.
•
Change default settings in remote access software (default passwords
and default connection port).
•
Allow connections from only specific (known) IP/MAC addresses.
•
Allow RDP connections only via a Virtual Private Network (VPN) on the
firewall.
24
•
Enable encrypted data transmission according to PCI DSS requirement
4.1.
•
Enable account lockout after a certain number of failed login attempts
according to PCI DSS Requirement 8.5.13.
•
Enable all Remote Desktop logging features.
Login
•
Assign all users a unique ID before allowing them to access systems
components or cardholder data.
•
Limit repeated passwords attempts by locking the user ID after not more
than six attempts.
•
Set the lockout duration to a minimum of 30 minutes or until Administrator
enables the user ID.
•
If a session has been idle for more than 15 minutes, require the user to
re-enter the password to reactivate the terminal.
•
When an Administrator no longer needs system access their account
should be disabled and maintained on the system. When/if the
Administrator returns the account can be enabled and used again,
maintaining a complete history of the users’ activity.
•
Restrict access to customer passwords to authorized reseller/integrator
personnel.
•
VisualMatrix™ Administrative user access must be disabled when not in
use. If you request assistance a VisualMatrix™ Customer Service
technician will contact you to have access enabled.
Authentication
•
Do not use group, shared, or generic accounts and passwords.
•
Change Administrator passwords at least every 90 days.
•
Require a minimum password length of at least 7 characters.
•
Use passwords containing both alpha and numeric characters.
25
•
Do not allow an Administrator to submit a new password that is the same
as any of the last four passwords her or she used.
•
If an Administrator forgets a password, they should be required to change
their password on the next login attempt.
•
Administrators should not have access to other users’ passwords
•
ECL access should always have a complex password. This password
must be changed every 90 days.
•
Passwords should never be transmitted via e-mail or the internet.
•
Incorporate two-factor authentication for remote access (network-level
access originating from outside the network) to the network by
employees, administrators, and third parties. Use technology such as
remote authentication and dial-in service (RADIUS); terminal access
controller access control system (TACACS) with tokens; or VPN/SSH
(based on SSL V3 / TLS V1 or IPsec) with individual certificates.
•
It is the client’s responsibility to track and manage passwords for
VisualMatrix™ Administrative login. When contacted by a VisualMatrix™
Customer Service Technician the client must enable remote access and
provide the technician with an Administrative password that meets all
Authentication requirements.
Administration
•
Assign all users a unique ID before allowing them to access systems
components or cardholder data.
•
In addition to assigning a unique ID, employ at least one of the following
methods to authenticate all users: Password or passphrase or two-factor
authentication.
•
Render all passwords unreadable during transmission and storage on all
system components using strong cryptography.
•
Ensure proper user authentication and password management for nonconsumer users and administrators on all system components as follows:
26
o Control addition, deletion and modification of user IDs, credentials,
and other identifier objects.
o Verify user identity before performing password resets.
o Set first-time passwords to a unique value for each user and
change immediately after the first use.
o Immediately revoke access for any terminated users.
o Remove/disable inactive user accounts at least every 90 days.
o Enable accounts used by vendors for remote maintenance only
during the time period needed.
o Communicate password procedures and policies to all users who
have access to cardholder data.
o Do not use group, shared, or generic accounts and passwords.
o Change user passwords at least every 90 days.
o Require a minimum password length of at least seven characters.
o Use passwords containing both numeric and alphabetic
characters.
o Do not allow an individual to submit a new password that is the
same as any of the last four passwords he or she has used.
o Limit repeated access attempts by locking out the user ID after not
more than six attempts.
o Set the lockout duration to a minimum of 30 minutes or until
administrator enables the user ID.
o If a session has been idle for more than 15 minutes, require the
user to re-enter the password to reactivate the terminal.
o Authenticate call access to any database containing cardholder
data. This includes access by applications, administrators, and all
other users.
27
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
VisualMatrix™ Security Auditing and Logging
Overview
The VisualMatrix™ product provides both access security as well as an audit
trail of activity performed by a user. In the case of security, access requires
the entry of an ID as well as a password. The VisualMatrix™ application
requires use of complex passwords and provides a strong level of security
as required by the Payment Card Industry for maintaining only authorized
access to sensitive data.
Since some data is sensitive by nature, such as credit card numbers, and
driver’s license numbers, this information is stored encrypted in the
database. Because of the sensitivity, this data is encrypted using strong
encryption. Any time a user who has been granted access to this data views
this information, an audit record is created for added security purposes.
There are no settings to alter the audit of this information, it is automatic and
cannot be deactivated by the System Administrator.
With these processes in place, access is restricted to authorized users
established by the System Administrator and once granted, the activity of a
user is monitored for document activity as well as settings that could affect
the operation of the software as well as changes made to records within a
file.
Security Auditing
As indicated, VisualMatrix™ provides that capability to restrict access to the
application based on the assignment of an ID and Password. In the event
that a high level of security is required, the use of Complex passwords is
strongly recommended. In fact the VisualMatrix™ software is shipped with
Complex passwords enabled.
28
The ID assigned by the System Administrator is used in conjunction with the
Complex password to grant access to the VisualMatrix™ application. To
qualify as a Complex password, the password must include the following:
•
The entry must contain a minimum of 7 characters
•
The entry must contain at least one number
•
The entry must contain at least one letter
•
The entry cannot be the same as any of the user’s last 4 passwords
•
Use strong cryptography and security protocols such as SSL V3 / TLS
V1 or IPsec to safeguard sensitive cardholder data during
transmission over open, public networks
•
Render all passwords unreadable during transmission and
storage on all system components using strong cryptography
•
Assign all users a unique ID before allowing them to access system
components or cardholder data
•
Incorporate two-factor authentication for remote access (network-level
access originating from outside the network)
•
Ensure proper user authentication and password management for
non-consumer users and administrators on all system components
•
Do not use group, shared, or generic accounts and passwords
•
Change user passwords at least every 90-days
•
Limit repeated access attempts by locking out the user ID after not
more than six attempts
•
Set the lockout duration to a minimum of 30 minutes or until
administrator enables the user ID
•
If a session has been idle for more than 15 minutes, require the
user to re-enter the password to reactivate the terminal
The use of Complex passwords is also accompanied by a setting for the
number of days the password is valid for, indicating when it will expire and
require a change of the password by the user. The default setting is 90 days
and it is strongly recommended that this setting not be changed to lengthen
the period for expiration.
During user access via the login process, the user password is validated
before access is granted to the VisualMatrix™ application. In the event that
the user’s password is within 8 days of expiration, the user will be provided
29
with the following message; “Your VisualMatrix™ password will expire in X
days” where X represents the number of days remaining before expiration.
The user can choose to change the password upon the first occurrence of
this message or any time prior to the expiration date. When choosing to
change the password, the user will be required to enter their current
password and then enter their new password based on the previously noted
criteria and also verify the new password a second time.
In the event that a user forgets their password or they believe their password
has been compromised, the System Manager can reset the password and
allow the user to create a new password at the next login.
If the user attempts access to the VisualMatrix™ application and enters an
ID/Password combination that cannot be authenticated for 6 consecutive
attempts, the user will be locked out from accessing the application for 30
minutes. The System Manager can be contacted to remove the lock and
allow the user to attempt access again, or reset the user password as noted
above.
Please note that the use of the User setting for ‘Allow Logon Pass-through’
provides a convenience for users to bypass the use of the VisualMatrix™ ID
and password. However use of this setting will render your VisualMatrix™
application to not be in compliance with the Payment Card Industry
requirements.
Any deviation from the above guidelines for secure access will render the
VisualMatrix™ software non-compliant.
Sensitive Data Audit
Specific individuals may be granted access to view the full data within the
sensitive data file for purposes required in their position within the
organization. From time to time it may be necessary to access the full credit
card number or a customer’s third party account number. Any time this
information is accessed by an individual with security clearance, an audit
record is recorded with the following information:
•
The process used to view the information
•
The customer code associated with the information
30
•
The last 4 digits of the sensitive data, not the full account number
•
The type of data viewed; credit card, third party account number, and
checking account number
•
The ID of the individual that is logged on the VisualMatrix™
application
•
The ID of the individual who has security clearance and granted
access
•
The date the information was reviewed
•
The time the information was reviewed
•
The success or failure of the attempt
The actual audit file of the sensitive data is encrypted with a sequential key
to further protect the audit file from external review. The information in the
audit file can be reviewed via a report available from the System Manager
set of menus and is entitled “Report Secured Decryption Activity”. The
report includes the information indicated above and can be selected utilizing
the following report options:
•
The user ID who requested to view the sensitive data
•
The user ID of the individual that granted access to the sensitive data
•
The customer code associated with the sensitive data
•
The type of data viewed; credit card, third party account number, and
checking account number
•
Starting date of sensitive data access attempt
•
Ending date of sensitive data access attempt
•
Attempted Access, ‘Granted’, ‘Denied’ or ‘All’
Maintain an Information Security Policy
Maintain a policy that addresses information security
Create a Security Policy
Image Technology Systems strongly advises merchants to observe their
responsibilities under PCI DSS Requirement 12 in establishing, publishing,
31
maintaining, and disseminating across the entire organization an information
security policy that:
•
Addresses all 12 PCI requirements from the merchant operation perspective.
•
Includes an annual process that identifies threats, and vulnerabilities, and
results in a formal risk assessment.
•
Includes a review at least once a year and updates to reflect changes to
business objectives or the risk environment.
•
Develops daily operational security procedures that are consistent with PCI
DSS requirements, such as user account maintenance procedures, and log
review procedures.
•
Includes usage policies for critical employee-facing technologies, such as:
o E-mail and Internet usage
o Removable electronic media, e.g. USB drives, laptops / tablets, mobile
devices, e.g. smart phones, iPods, etc.
o Wireless technologies (If applicable)
o Remote-access technologies (If applicable)
A strong Information Security Policy is not only required for PCI-DSS compliance it
also sets the security tone for the whole company and informs employees what is
expected of them. All employees should be aware of the importance in securing
sensitive data and their responsibilities for protecting it.
For further information on developing a merchant security policy, and for complete
merchant responsibilities under PCI DSS Requirement 12, please refer to
resources available from the PCI Security Standards Council at:
https://www.pcisecuritystandards.org/index.shtml
32
Payment Application Data Security Standard
PA-DSS considerations for proper Implementation of VisualMatrix™ in PCIDSS compliant environments:
Remove Historical Credit Card Data
(PA-DSS 1.1.4.a)
PA-DSS 1.1.4.a states that historical data such as magnetic stripe data,
card validation codes, PINs, or PIN blocks stored by previous versions of
the software must be securely deleted. Secure removal of this data (if
present) is absolutely necessary for PCI compliance.
After successfully upgrading from any version prior to version 1.7.1 of VisualMatrix,
the historical data must be securely deleted from both the server computer and any
other computer or network share to which this data may have been copied.
This is typically in the directory C:\ImageTech\VisualMatrix\Shared\Backup on the
server computer and also C:\ImageTech\VisualMatrix\Shared\PreUpgrade. The
Daily Backup files should be left in place as these are rotated on a weekly basis.
They have the names of VM_XXX_Pre.Dbk and VM_XXX_Post.Dbk where XXX is
the 3 character appreviation for the day of the week. These files should NOT be
deleted. However all others having ‘dbk’ extension should be deleted. Then you
can securely remove any trace of these files by following these steps.
1.
2.
3.
Quit all programs.
Click Start, click Run, type cmd, and then press ENTER.
Type cipher /W:C:\ImageTech\VisualMatrix and then press ENTER.
This process could take several minutes, depending on the size of the hard drive.
This should also be performed on any folders from any computer whose local drive
was used as a destination to which the backup files may have been copied. Also,
any CDs to which the backups were saved should be destroyed and any magnetic
media should be completely overwritten or degaussed.
These steps are necessary in order for your property to be in full PCI-DSS
compliance
33
Sensitive Authentication Data Requires Special Handling
(PA-DSS 1.1.5.c)
PA-DSS 1.1.5.c states that the following guidelines must be followed when dealing
with sensitive authentication data (swipe data, validation values or codes, PIN or
PIN block data):
•
•
•
•
•
Collect sensitive authentication data only when required to solve a specific
problem.
Store such data only in specific, known locations with limited access.
Collect only the limited amount of data required to solve a specific problem.
Encrypt sensitive authentication data while stored.
Securely delete such data immediately after use.
Before going live with the VisualMatrix software a temporary practice database is
employed, one that does not typically have the credit card interface enabled. Upon
going live this database is replaced with a fully configured one that will have the
credit card interface enabled if one was purchased). Any cardholder data
contained in the practice database (if it was enabled) will be overwritten by the live
database.
In the event that the fully configured database was used for troubleshooting prior to
going live then there is a utility that can purge all transactional data including the
encrypted credit card numbers which is the only sensitive authentication data
stored in the database. This can be done by VisualMatrix technical support staff
during the final ‘bring the system live’ procedure.
In any event the full track data and CVV data are never stored in the databases or
logs, or allowed to be configured to be stored at any time in the production
environment or when troubleshooting in the production environment. The only files
in which the encrypted cardholder data is stored is in the SQL database files
VisualMatrix_Data.mdf and VisualMatrix_Log.ldf in the \ImageTech\VisualMatrix
folder.
All log files always contain only masked PAN and Track data and cannot be
configured to store in an unmasked format. Database backups are password
protected and when needed for troubleshooting are safely downloaded to the
Image Technology Systems’ development environment, restored using the strong
password, and immediately after the issue is resolved the database is deleted.
Purging of Cardholder Data
(PA-DSS 2.1.a)
PA-DSS 2.1a states that cardholder data must be purged after it exceeds the
34
customer-defined retention period. The database is the only place VisualMatrix™
stores cardholder data. The retention settings must be set from the Security screen
accessed from the Management / Setup / Parameters tab. Any historical data that
exceeds the customer-defined retention period will be automatically removed via
the first resultant Night Audit Process.
Key Management Roles and Responsibilities
(PA-DSS 2.5 and PA-DSS 2.6)
PA-DSS 2.5 and PA-DSS 2.6 state that the payment application must implement
key management processes and protect cryptographic keys used for encryption of
cardholder data against disclosure and misuse.
Payment application must protect any keys against disclosure and
misuse
•
Sensitive credit card information is protected in VisualMatrix through the use of
encryption keys. Three USB flash drives will need to be available for use. Any size
flash drive will work as the file stored on the drive is not very large. No other data
should be stored on the drive. It should be dedicated to the encryption key. Label
the keys one, two and three. The first key we refer to as the active key and will
remain in the server computer at all times. The second key is a backup of the active
key and should be stored in a safe, secure location on site. The third key is also a
backup but should be stored in a safe, secure location off site, such as a safety
deposit box or corporate office safe.
•
If a USB flash drive is damaged utilities are available to use a backup key to create
another key so that you always have three copies of the key. In the event that all
three encryption keys are lost, you will lose access to all your credit card
information. You would not be able to process any credit cards or settle any
batches. It is also very important to understand that it will be IMPOSSIBLE even for
technical support to retrieve any of the encrypted data.
•
Any individuals that manage or have access to these keys should sign the Key
Custodian form acknowledging their responsibility to protect the keys from
disclosure and misuse. A sample of this form can be found in the file: ITS
Responsibility of Key Custodian.doc available from Image Technology Systems
technical support staff and also initially included with this document.
Implement key management processes and procedures for cryptographic
keys used for encryption of cardholder data
35
•
Initially, after installing or receiving the upgrade to Visual Matrix version 3.1 or
higher you will notice a message when you log in notifying you that the Encryption
Keys need to be changed in order to be fully PCI compliant. The message also
informs you of how many days you have left before the system locks. What that
means is if the keys are not changed before the number of days left runs out the
system will be completely locked down. You will not be able to log in or use
VisualMatrix at all.
•
Additionally, you will be required to rotate these keys at intervals as determined by
management to fulfill PCI requirements upon expiration of a crypto-period.
Expiration of a crypto-period could be upon compromise of the keys (perhaps by
the departure of an employee who had access to them) or after a time period
reasonably shorter than the time necessary to break the keys. We recommend that
the keys be rotated at least once per year. Complete instructions for this procedure
are provided online at: http://www.visualmatrixpms.com/implementation.asp.
•
Rotation of the keys overwrites the previous keys and therefore they are revoked
through replacement and once the keys are rotated the previous keys are useless
for decrypting the data encrypted with the current keys. If however, for some reason
(such as desiring to use the USB drive for some other purpose) the following
section explains how to securely delete the old keys.
Removal of Cryptographic Material
(PA-DSS 2.7.a)
PA-DSS 2.7a states that cryptographic material must be removed. Such removal is
absolutely necessary for PCI compliance.
The cryptographic keys are recommended to be stored on removable drives (i.e. USB
thumb drives). The files that contain the keys can be deleting securely by following these
steps:
1.
Make sure Cryptographic Key thumb drive is inserted into computer.
2.
Determine the Drive letter of recently inserted drive. (Example: E:)
3.
Quit all programs.
4.
Click Start, click Run, type cmd, and then press ENTER.
5.
Type del /s E:\*.* and then press ENTER, when prompted type Y then ENTER
6.
Type cipher /W:E:\ and then press ENTER.
This process could take several minutes, depending on the size of the USB thumb drive.
36
This should also be performed on any other thumb drives containing old cryptographic keys
or when desiring to use the USB drives for a purpose other than the cryptographic keys.
These steps are necessary in order for your property to be in full PCI-DSS
compliance.
Extreme caution should be exercised when using either command as they
PERMANENTLY remove data from your removable drive.
Payment application enforces secure authentication credentials
(PA-DSS 3.1.c and PA-DSS 3.2)
Use unique user IDs and secure authentication for administrative
access and access to cardholder data
•
Create PCI DSS-compliant complex passwords to access the payment
application, per PCI Data Security Standards 8.5.8 through 8.5.15.
•
Each user of the system must have a unique User Name and strong
password. They should not be shared among individuals. A strong password
is one which is a minimum of 7 digits long with a combination of numeric and
alpha characters. It is also required that these passwords be changed
periodically (90 days maximum or if an employee is no longer on staff) and
must not be the same as any of the 4 previous passwords used. In addition,
inactive stations (not to exceed 15 minutes) should require reentering of the
password in order to continue the session. This is facilitated by the
VisualMatrix software from the Security screen accessed from the
Management / Admin / Security tab and Management / Setup / Parameters
tab
Failure to do the above will result in non-compliance with the PCI-DSS
Additionally, if the applications’ security level is reduced via user configuration
error or failure(s) to properly configure, it could render the software into nonPCI-DSS compliant status.
37
Audit Trails and Centralized Logging
(PA-DSS 4.1, PA-DSS 4.3 and PA-DSS 4.4)
Per PA-DSS Requirements 4.2, 4.3 and 4.4 logs must be enabled, and
disabling the logs will result in non-compliance with PCI DSS.
All logs required per PA-DSS v2.0 requirements are enabled at the time of the
VisualMatrix™ software installation. VisualMatrix™ logging is configured per PCIDSS 10.2 and 10.3 as follows:
•
Implement automated assessment trails for all system components to
reconstruct the following events:
o 10.2.1 All individual user access to cardholder data
o 10.2.2 All actions taken by any individual with root or administrative
privileges
o 10.2.3 Access to all assessment trails
o 10.2.4 Invalid logical access attempts
o 10.2 5 Use of identification and authentication mechanisms
o 10.2.6 Initialization of assessment logs
o 10.2.7 Creation and deletion of system-level objects
•
Record at least the following assessment trail entries for all system
components for each event from 10.2.x:
o 10.3.1 User identification
o 10.3.2 Type of event
o 10.3.3 Date and time
o 10.3.4 Success or failure indication
o 10.3.5 Origination of event
o 10.3.6 Identity or name of affected data, system component, or
resource.
•
All logs must remain enabled. Disabling any logs per requirements 4.2, 4.3,
and 4.4 for PA-DSS v2.0 will result in non-compliance with PCI-DSS.
4.4 Provide instructions and procedures for incorporating the payment application logs
into a centralized logging server
•
All logs required per PA-DSS v2.0 requirements are enabled at the time of
the VisualMatrix™ software installation. All logs must remain enabled.
38
Disabling any logs per requirements 4.2, 4.3, and 4.4 for PA-DSS v2.0 will
result in non-compliance with PCI-DSS.
Necessary and Secure Services, Protocols, Daemons, Components, and
Dependent Software and Hardware
(PA-DSS 5.4)
PA-DSS 5.4 states that Payment Applications must only use or require the use
of necessary and secure services, protocols, daemons, components, and
dependent software and hardware, including those provided by third parties, for
any functionality required by the payment application (such as NetBIOS, file
sharing, Telnet, FTP, or others) and that these should be secured via SSH, SFTP, SSL, IPsec, or other technology.
•
VisualMatrix™ does not require any services, protocols, components, software or
hardware that originates from external connections. Therefore, firewalls can be
implemented that completely isolate the VisualMatrix Server and Client instances
on a private subnet (Please see Section below ‘Network Configuration’). Any
outbound connectivity should only be configured on an as needed basis (i.e.
Connection to Best Western VPN, etc. See also ‘Remote Updates’ below).
PCI-Compliant Wireless Settings
(PA-DSS 6.1.b and PA-DSS 6.2.b)
PA-DSS 6.1 and PA-DSS 6.2b state that if wireless is used within the payment
environment, a firewall should be installed, according to PCI DSS Requirement
1.3.8. Although the VisualMatrix™ application does not support wireless
technologies, should the merchant implement wireless access within the cardholder
data environment, the following guidelines for secure wireless settings must be
followed according to PCI Data Security Standards 1.2.3, 2.1.1, and 4.1.1, which
are stated above in the “Wireless Networking” section of this guide and are also
expanded upon here as:
PCI Data Security Standard 1.2.3
Perimeter firewalls must be installed between wireless networks and systems that
store cardholder data, and these firewalls must deny or control (if such traffic is
necessary for business purposes) any traffic from the wireless environment into the
cardholder data environment.
39
PCI Data Security Standard 2.1.1
• All wireless networks must implement strong encryption; for example,
Advanced Encryption Standard (AES-256).
• Encryption keys must be changed from default at installation, and changed
every time that a person with knowledge of the keys leaves the company or
changes positions.
• Default Simple Network Management Protocol (SNMP) community strings
on wireless devices must be changed.
• Default passwords and pass phrases on access points must be changed.
• Disable SSID broadcasts
• Firmware on wireless devices must be updated to support strong encryption
for authentication and transmission over wireless networks, such as WPA
and WPA2.
• Other security-related wireless vendor defaults apply, if appropriate.
• Mobile and employee owned computers must be protected with personal
firewall software
PCI Data Security Standard 4.1.1
• Industry best practices must be used to implement strong encryption for the
following over the wireless network in the cardholder data environment:
o Transmission of cardholder data
o Transmission of authentication data
•
Payment applications using wireless technology must facilitate the following
for use of Wired Equivalent Privacy (WEP):
o For new wireless implementations, implementing WEP has been
prohibited as of March 31, 2009.
o For current wireless implementations, using WEP is prohibited after
June 30, 2010.
It is STRONGLY recommended that all of the computers used as client terminals
for the VisualMatrix™ application be hard wired and not use wireless connections
for the internal network. If wireless must be used, wireless communications,
including authentication, must be encrypted using WPA or WPA2 following
guidance for hardening of wireless connections above.
40
Never Store Cardholder Data on Internet-Accessible Systems
(PA-DSS 9.1)
Cardholder data must not be stored on an Internet-accessible system. If utilizing a
web server, it must not be on the same server that the VisualMatrix™ software is
installed.
Both client and server computers must not be directly exposed to the internet or to
any unauthorized connections. All client computers and the database server must
exist in a private subnet. This should be accomplished by using a private network
behind a firewall with hard wiring (NOT wireless). If the Hotel is utilizing the
WebLink Web Booking Engine, the web server machine must exist within its own
subnet of the hotel’s network. Port 443 for SSL traffic must be forwarded only to the
web server machine in the DMZ subnet, and a firewall between the DMZ subnet
and private subnet must exist. The firewall must block all traffic between the DMZ
subnet and the private subnet, with the exception of allowing traffic on port 7000
(for Device Server) and the active SQL port for database traffic
PCI-Compliant Remote Access Using Two-Factor Authentication
(PA-DSS 10.2)
VisualMatrix standard installation includes RealVNC Software using AES
encryption which is only initiated by the customer during technical support sessions
with Image Technology support staff. The secure session is initiated by the
customer by entering a token generated by an Image Technology controlled
securely accessed web service. This token together with their current login
credentials are used to download a specially generated key protected session for
remote access that is only valid for 30 minutes if not used and only able to connect
to the fixed IP address that belongs to the Image Technology technical support
technician.
VisualMatrix™ does not interfere with two-factor authentication systems that require
a username & password combination and an additional authentication item such as
a smart card or pin number.
•
Client use of remote access technologies (Terminal Server, Citrix, etc.) to
access VisualMatrix™ requires the use of two-factor authentication.
•
Administrators who connect to the VisualMatrix™ application remotely must
do so within a Virtual Private Network. Access must also be authenticated
41
using a two-factor authentication mechanism (username/password and an
additional authentication item, such as a token or certificate).
Administrators who access the server remotely should also adhere to the following
guidelines:
•
•
•
•
•
•
•
•
•
•
•
Remote access passwords are changed every 90 days.
A minimum password length of at least seven characters is required.
Passwords containing both numeric and alphabetic characters are required.
New passwords that are the same as any of the last four are not allowed.
Repeated access attempts are blocked by locking out the user ID after not
more than six attempts.
The lockout duration is set to a minimum of 30 minutes or until the
administrator enables the user ID.
If a session has been idle for more than 15 minutes, the user must re-enter
the password to re-activate the terminal.
Change default settings in the remote access software (for example, change
default passwords and use unique passwords for each customer).
Allow connections only from specific (known) IP/MAC addresses.
Use strong authentication and complex passwords for logins, according to
PCI DSS Requirements 8.1, 8.3, and 8.5.8 - 8.5.15.
Enable encrypted data transmission according to PCI DSS Requirement 4.1:
o Strong encryption must be used during data transmission.
o The server can support the latest patched versions of SSL.
o HTTPS appears as a part of the browser Universal Record Locator.
o No cardholder data is required when HTTPS does not appear in the
URL.
o Transactions were observed to encrypt cardholder data during
transit.
o Only trusted SSL V3 / TLS V1 keys and certificates are accepted.
o Proper encryption strength was verified to be implemented for the
encryption methodology in use.
o For wireless networks transmitting cardholder data or connected to
the cardholder data environment, guidance on industry best
practices (for example, IEEE 802.11i) is provided to implement
strong encryption for authentication and transmission.
o Enable account lockout after a certain number of failed login
attempts according to PCI DSS Requirement 8.5.13.
42
10.3.1 Activate remote-access technologies for payment application updates only
when needed for downloads, and turn off immediately after download completes,
per PCI DSS Requirement
•
•
•
•
VisualMatrix™ software and updates are available through Image
Technology Systems secure ftp site. Access to the site is only granted to
users with the appropriate authentication credentials; which are available
only from within VisualMatrix™ automatic update software applications.
Remote-Access technologies for payment application updates should only
be active when needed. When not in use, they should be deactivated
immediately
The VisualMatrix server computer must have a firewall blocking all inbound
traffic from any public network (Internet) as indicated in the previous section.
However, it does need to have an outbound permission to the VisualMatrix
update web server (http://upgrades.visualmatrixpms.com).
The updates are stored in a password protected zip file and extracted by the
upgrade program with the password encrypted and embedded within itself
after which it is also validated with a hash key to make sure that the update
files have not been altered before using them to upgrade the system.
10.3.2 Implement and use remote access software security features if remote
access software is used to remotely access the payment application or payment
environment.
•
•
•
•
•
•
•
•
If remote access software is used to remotely access the payment application or
payment environment, all remote access security features must be enabled
Allow connections only from specific (known) IP/MAC addresses.
Use strong authentication and complex passwords for logins (see PA-DSS
Requirements 3.1.1 through 3.1.10.)
Enable encrypted data transmission according to PA-DSS Requirement 12.1.
Enable account lockout after a certain number of failed login attempts (see
PADSS Requirement 3.1.8.)
Configure the system so a remote user must establish a Virtual Private Network
(VPN) or SSH connection via a firewall before access is allowed.
Enable the logging function.
Establish customer passwords according to PA-DSS Requirements 3.1.1
through 3.1.10.
43
Data Transport Encryption
(PA-DSS 11.1)
PA-DSS 11.1 states that payment applications must implement and use SSL for
secure cardholder data transmission over public networks, in accordance with PCIDSS Requirement 4.1.
The PCI DSS requires the use of strong cryptography and encryption techniques
with at least a 256-bit encryption strength at the transport layer with a Secure
Sockets Layer (SSL v3) or Internet Protocol Security (IPsec) layer; or at the data
layer with algorithms such as RSA or Triple Data Encryption Standard (3DES) to
safeguard cardholder data during transmission over public networks (this includes
the Internet and Internet-accessible DMZ network segments).
PCI DSS requirement 4.1: Use strong cryptography and security protocols such as
SSL/Transport Layer Security (TLS) and IPsec to safeguard sensitive cardholder
•
•
Strong Cryptography and security protocols must be implemented if
accessing secured cardholder data via public networks.
The WebLink application must reside on a separate Web Server that must
also be behind a firewall that only allows inbound traffic from the internet on
port 443. The web server needs to be configured to only accept traffic using
HTTPS on port 443 with a certificate.
• VisualMatrix™ Credit Card interfaces must be implemented and configured
to use only SSL connections with associated certificates.
PCI-Compliant Use of End User Messaging Technologies
(PA-DSS 11.2)
PA-DSS 11.2 states that payment applications must implement and use an
encryption solution if PANs can be sent with end-user messaging technologies.
The VisualMatrix™ application does not, out of the box, provide the means to
send PAN through end-user messaging technology, such as instant messaging,
and chat, other than e-mail which masks all credit card numbers before
transmission.
Image Technology Systems strongly recommends not allowing the use of
Instant Messaging or Chat applications in association with the VisualMatrix™
software. If allowed, it will render the software non-compliant.
44
Non-console Administration
(PA-DSS 12.1)
PA-DSS 12.1 states that Payment Applications must implement and use Secure
Shell (SSH), Virtual Private Network (VPN), or SSL V3 / TLS V1 for encryption of
any non-console administrative access to payment application or servers in a
cardholder data environment.
There is no console access to the VisualMatrix™ application server since the only
access is achieved through the use of secure protocols such as SSH or secure
tunneling protocols such as a VPN.
The VisualMatrix™ application does not use insecure services such as NetBIOS,
file sharing, Telnet, or unencrypted FTP to manage the application (as per PCI-DSS
requirement 2.3).
Strong cryptography must be implemented and utilized (example: SSH, VPN, SSL
v3 or TLS v1.0 or better) for encryption of any non-console Administrative access to
the VisualMatrix™ application or servers within the cardholder data environment.
VPN or High Speed “Always On” Connections
(PA-DSS 12.3.9)
If computer is connected via VPN or other high-speed connection, receive remote
payment application updates via a securely configured firewall or personal firewall
per PCI DSS Requirement 1.
•
When connected via VPN or other high-speed connection, remote payment
application updates must be received via a securely configured firewall or
personal firewall per PCI-DSS requirement 1.
Please note any deviation from the above document in any way could render your
organization and/or the VisualMatrix™ software PCI-DSS non-compliant and
subject to breaches, fines, penalties and other adverse or costly consequences.
45
Installing the VisualMatrix™ Software
Installation of the VisualMatrix™ system requires (at minimum) the installation of a
VisualMatrix™ server component. Optionally, if purchased, additional client
installations may be completed.
VisualMatrix™ Server Installation
To install the VisualMatrix™ server, complete the following steps:
1. Install Microsoft Message Queuing from the Add/Remove Windows
Components control panel. Be sure to
select MSMQ Triggers as well.
2. Obtain the installation files
VMFR4_2_0.exe and
VM_OSSetup.exe from
http://tech.image-support.com. A
username and password for this
website may be obtained from the
support department at Image
Technology Systems.
3. Validate the SHA256 hash value of
the downloaded files using a tool such
as Hash Generator 3.0 from
http://securityxploded.com/hashgenerator.php. The hash value of the
downloaded files must match the hash value provided on the download site.
If the hash values of the downloaded files do not match, please contact the
technical support department at Image Technology Systems immediately
and do not open the downloaded files. If the hashes validate, proceed with
Step 3.
4. Right click on VM_OSSetup.exe and choose “Run As Administrator.” Click
on “Run Setup” and reboot when prompted.
5. After reboot, launch VMFR4_2_0.exe.
6. On the “Install Prerequisites
screen, click “Setup.”
7. Once the prerequisites are
installed, the VisualMatrix™
installer will continue. Select
“Install Server” to continue server installation.
46
8. When prompted to select a local hard drive for installation, choose the
appropriate drive. (Note, in most instances, this will be C:\)
9. Click the “Step 1: Install Database
Engine” button.
10. When Step 1 is complete, you will be
prompted to reboot. Complete a
reboot. Installation will continue
automatically after a successful
restart.
11. After restart, click the “Step 2: Install
Visual Matrix Database” button.
12. When the VisualMatrix™ database
installation is complete, you will be given an information screen containing
important information. Make note of this information, especially the server
name. The server name will
be required for client
installations.
13. Ensure that the proper folder
for client updates is shared
according to the data given on
the information screen.
14. Launch the VisualMatrix™
software, and login with the
details given on the
information screen. Navigate
to Front Office – Supervisor –
System Maintenance – Upgrade and ensure the VisualMatrix™ software
installed is the most current version. If it is not, proceed with any available
upgrades by following the instructions found in the Knowledge Base on
http://tech.image-support.com.
47
VisualMatrix™ Client Installation
To install the VisualMatrix™ client, complete the following steps:
1. Obtain the installation files VMFR4_2_0.exe and VM_OSSetup.exe from
http://tech.image-support.com. A username and password for this website
may be obtained from the support department at Image Technology
Systems.
2. Validate the hash value of the downloaded files using a tool such as Hash
Generator 3.0 from http://securityxploded.com/hashgenerator.php. The hash
value of the downloaded files must match the hash value provided on the
download site. If the hash values of the downloaded files do not match,
please contact the technical support department at Image Technology
Systems immediately and do not open the downloaded files. If the hashes
validate, proceed with Step 3.
3. Right click on VM_OSSetup.exe and choose “Run As Administrator.” Click
on “Run Setup” and reboot when
prompted.
4. After reboot, launch
VMFR4_2_0.exe.
5. On the “Install Prerequisites screen,
click “Setup.”
6. Once the prerequisites are installed,
the VisualMatrix™ installer will
continue. Select “Install Client” to
continue client installation.
7. When prompted to select a local hard drive for installation, choose the
appropriate drive. (Note, in most
instances, this will be C:\)
8. In the Server Name field, enter the
NetBIOS name of the VisualMatrix™
server. (Note: This is the server name
given when the installation of the
VisualMatrix™ server was
completed.)
9. When the VisualMatrix™ client
installation is complete, you will be
able to log into the client software.
The client software will automatically update itself from the VisualMatrix™
server.
48
Download
advertisement